ICO imposes fines of £80,000 and £60,000

The Information Commissioner’s Office (ICO) used its enforcement powers in the form of civil monetary penalties (“fines”) on North Somerset Council and Worcestershire County Council on 28 November for their breaches of the Data Protection Act. Both authorities sent highly sensitive personal information to the wrong recipients.

Worcestershire County Council was fined £80,000 for an email error where 23 unintended recipients received highly sensitive personal information. The ICO says that the Council had failed to properly train its staff, or put access restrictions into place.

North Somerset Council, which was fined £60,000, suffered a data breach when a council employee sent five emails to the wrong National Health Service employee, two of which contained highly sensitive and confidential information about a child’s serious case review. The issue was identified but the council emailed the same recipient another three times. Again, the relevant staff had not received enough data protection training.

Prior to these fines, the ICO had issued just six monetary penalties, and most of them on local councils. Whilst the highest fine so far has been £120,000 (Surrey County Council), the ICO can potentially issue fines up to £500,000.

See the ICO notice.

Privacy Laws & Business is running its Introduction to Data Protection course on November 30th and its Data Protection Auditing course on December 13th and 14th, both in London.